A chipset off the old block

This teen cyber sleuth follows in his father's keystrokes

Hackers from 23 countries made more than 5,500 unsuccessful attempts to break into what looked like the National Security Agency’s employee portal. The site was actually a “honeypot,” a decoy to lure bad guys. It was run from the Fredericksburg, Virginia, headquarters of Vann TechCyber, also known as the bedroom of Paul Vann Jr., its 14-year-old CEO.

“I wanted to see how they were breaking in and what tools they were using, looking for patterns,” said Paul, a high school sophomore at the Commonwealth Governor's School program for gifted students. “It wasn't a homework assignment for school or anything; I just like doing research on my own.”

Paul Vann Jr. and his dad, cybersecurity professional Paul Vann Sr., have found the ultimate father-son activity, one that's fun while it builds a future. While the elder Vann protects clients’ information as a senior manager of cyber engineering at Raytheon, the younger Vann conducts penetration tests to measure the strength of digital networks.

It started when the younger Vann was nine. Dad gave him a broken computer to repair; later, he took him to ShmooCon, an annual hacking convention in Washington, D.C.

“I loved the environment there, but I really got hooked after reading the book ‘Ghost in the Wires’ by Kevin Mitnick,” the famous hacker, Paul Jr. said. “He didn’t explain any of his techniques, so I taught myself by watching YouTube videos and downloading tools from the Internet.”

Paul Jr. calls himself an ethical hacker, getting permission from system administrators before accessing their networks.

“I won’t do any harm to systems, and I won’t destroy or steal data,” he said. “Everything I’m doing is legal. I always ask first.”

Paul Jr. presented the results of his NSA honeypot to about 200 people at the 2015 DerbyCon in Kentucky. He then spoke at several other cybersecurity conferences, including BSides Charm in Baltimore and THOTCON in Chicago. Afterwards, a half dozen companies offered him internships.

Too young to accept, Paul Jr. instead embarked on several new projects. He’s investigating the top five hackable automobiles on the market today, and ways to exploit a car’s CAN bus, which is the hardware and software protocol used to exchange data between electronic control units, allowing, for example, a parking brake to automatically release when seat belts are fastened.

Meanwhile, Paul Jr. is taking online math classes at MIT, attending college courses in theoretical physics at the University of Mary Washington, playing varsity tennis and baseball and tinkering on an “invisibility cloak” like Harry Potter’s using acousto-optics principles. Oh, and he’s working toward becoming an Eagle Scout.

“Unfortunately, he said, "only the Cub Scouts have a merit badge for cybersecurity."